Free CompTIA SecurityX / CASP+ CAS-005 Actual Exam Questions - Question 14 Discussion
An auditor is reviewing the logs from a web application to determine the source of an incident. The
web application architecture includes an internet-accessible application load balancer, a number of
web servers in a private subnet, application servers, and one database server in a tiered
configuration. The application load balancer cannot store the logs. The following are sample log
snippets:
Web server logs:
192.168.1.10 - -
[24/Oct/2020 11:24:34 +05:00] "GET /bin/bash" HTTP/1.1" 200 453 Safari/536.36
192.168.1.10 - -
[24/Oct/2020 11:24:35 +05:00] "GET / HTTP/1.1" 200 453 Safari/536.36
Application server logs:
24/Oct/2020 11:24:34 +05:00 - 192.168.2.11 - request does not match a known local user. Querying
DB
24/Oct/2020 11:24:35 +05:00 - 192.168.2.12 - root path. Begin processing
Database server logs:
24/Oct/2020 11:24:34 +05:00
[Warning] 'option read_buffer_size1 unassigned value 0 adjusted to 2048
24/Oct/2020 11:24:35 +05:00
[Warning] CA certificate ca.pem is self-signed.
Which of the following should the auditor recommend to ensure future incidents can be traced back
to the sources?
A/E? Storing REMOTE_ADDR (E) is good for capturing what the web server actually sees, but if the load balancer isn’t forwarding the original client IP, then logs will just show the load balancer’s private IP, not the true source. Enabling X-Forwarded-For (A) at the load balancer lets the web servers log the real client IP from that header, which is more accurate for tracing incidents. So without A, E might still miss the real source. I’d recommend A to make sure the original client IP gets passed along properly.
E imo, because storing REMOTE_ADDR on the web servers would capture the immediate client IP seen by each server, helping trace requests even if the load balancer isn’t forwarding client IPs properly.
Not B, because HIDS won't fix the problem of unknown client IPs in logs. The key issue is the real source IP isn’t visible, so enabling the X-Forwarded-For header (A) makes more sense for tracing incidents.
A imo, but does the question specify if the load balancer currently forwards client IPs? That’s key to know if enabling X-Forwarded-For will actually help trace the source.